Efforts to Limit Cybersecurity Breaches of EHRs to Increase in 2017

As predicted, the increasing use of electronic health records (EHRs) resulted in a corresponding increase in the number of security breaches. Having such a large volume of records digitally stored in one place makes a lot of sense in many regards, but this comes with a downside: it also makes it much easier for them to be compromised.

In fact, the HHS (US Department of Health and Human Services) Officer of the Inspector General (OIG) included investigations of how well providers protect EHR information in its 2017 workplan.

The sheer number of incidents affecting the healthcare industry gave ransomware a household name in 2016. Two prominent incidents were widely reported:

Hollywood Presbyterian Medical Center paid $17,000 in bitcoins to recover the use of its ERH system

MedStar Health lost the use of its computers due to a ransomware attack

Regrettably, as healthcare administrators learned not to click on suspicious links, cyber criminals became more sophisticated. They started using targeted spear phishing. This involves using a spoofed email address to make it look legitimate and including an attachment that appears to be something innocuous such as an invoice.

The HHS Office for Civil Rights released guidance on avoiding ransomware in July. The agency also clarified that such attacks constituted a HIPAA breach and should be reported to HHS as well as the patients affected and possibly the media.

Hacking

Cyber criminal hacking resulted in some major breaches in 2016:

21st Century Oncology based in Fort Myers reported a breach of 2.2 million patient records which resulted in a number of class action lawsuits

Georgia’s Athens Orthopedic Clinic was breached in a common manner: an outside vendor’s login credentials were used to compromise the records of 200,000 patients

The Internet of Things

Cybersecurity experts have long expressed concern about the vulnerability of devices linked to the internet which have poor or no encryption. Johnson & Johnson warned that one of its insulin pumps was vulnerable to hacking because its communication system was unencrypted.

Steps Providers Can Use to Increase the Security of EHRs

Review an EHR’s security before using it and choose the most secure system

Train employees to recognize threats such as phishing attacks

Back up the EHR offline and test the backup to make sure it is accessible in an emergency

Limit access to the EHR and regularly review audit trails

Follow HIPAA’s security requirements:

Analyze the vulnerabilities of EHRs for security risk

Encrypt data

Keep the patches up to date

Following these measures will help to insure that your online medical records do not end up in the hands of cyber criminals.